Rapid7 Blog

Pathetic DDoS vs Security Sites

POST STATS:

SHARE

On Friday, starting around 9:00pm CST, the main metasploit.com was hit with a highly-annoying, if pretty useless distributed denial of service. The attack consisted of a botnet-sourced connection flood against port 80 for the metasploit.com host name. This flood consisted of about 80,000 connections per second, all from real hosts trying to send a simple HTTP request. At the same time, Packet Storm and Milw0rm were being hit as well. About 95% of the bots would intermittently resolve metasploit.com and follow the target address with the connection flood. The other 5% continued to bang on the main metasploit.com IP address and port even after the host record was changed.

Solving this involved parking the metasploit.com host record at 127.0.0.1 and moving the other host names and services to a spare IP address. This allows for www.metasploit.com and most of our other domains and services to work properly. The only drawback is that until the flooding stops, we can't use the metasploit.com A record, which happens to be the default for updating the Metasploit Framework installation. A fun side effect is that they handed us full control of the DDoS stream: we can point the metasploit.com record anywhere we like and the connection flood will follow it.

We will continue to find other ways to mitigate the flood; but until we can safely use the metasploit.com name again, our standard online update mechanism is going to fail. If you are trying to check out a fresh copy of Metasploit from subversion, use the https://www.metasploit.com/svn/framework3/ URL for now. As of 9:30am CST, the Immunity web site is being hit as well. If anyone has information on the folks involved, we would love to hear from you :-)